Tuesday, April 21, 2009

The OSIS I5 OpenID interop testing is well underway. Last weekend while testing some OpenID relying party web sites, John Bradley happened upon a web site that failed a particularly alarming test. Further investigation revealed that the security hole affected all OpenID relying parties based on Janrain’s Ruby OpenID library. Perhaps Janrain is using its Ruby library for RPXNow, because I discovered that RPXNow had the same security hole.

Janrain acted quickly. They fixed RPXNow and released an update to the OpenID Ruby library within a day or so (version 2.1.5) after we reported the bugs to them.

What does this mean for OpenID relying parties? If you are using Janrain’s Ruby OpenID library (if you’re based on Ruby you probably are), make certain you are using the very new 2.1.5 version. RPXNow customers don’t need to do anything as the patch was applied at the service.

Without going into the exploit details since there are still vulnerable relying parties that haven’t upgraded yet, let’s just say that this security hole was particularly devastating as it allowed a hacker to spoof anyone’s identity at the RP. In English: “anyone could log in as anyone”. Well, some basic knowledge of how OpenID works or and a hacker tool would be required.

Aftermath

RPXNow customers as well as Ruby OpenID library users have been vulnerable, potentially for several months. This means that if your site used RPXNow to allow OpenID logins, your users’ web accounts may have been hijacked, even if you haven’t heard any reports of it.

If your site uses RPXNow or the Ruby OpenID library and stores private information for your users, you owe it to your users to notify them that their private data may have been compromised and/or their accounts/identity stolen. Again, RPXNow has already been patched so in the future users will hopefully be safe, but the fix cannot be retroactive, and previously hijacked accounts are still victims.

I haven’t seen Janrain make any announcements regarding this security vulnerability. I hope that in their private channels to their RPXNow and Ruby library customers they have advised them of the problem and that they should contact their respective customers to warn them of the potential loss of private data.

I personally feel awful about this. As neat as OpenID is, one of its weaknesses is that a user cannot be confident that an arbitrary RP he/she’s about to log into is a secure implementation of OpenID, and thus bugs like this can greatly reduce public trust in using OpenID to secure their identities. But that’s why we do OSIS OpenID testing… to find and correct bugs like these. I just wish we never found anything serious.